Why Your Organization Needs to Conduct Exercises: Understanding the The Bottom-Line Impacts

CURTIS MARQUARDT JR.:
Thank you so much for joining us today. Can you please tell our readers more about yourself and your role at the Cybersecurity & Infrastructure Security Agency (CISA)?

GARY BOYER:
Absolutely. I’m the Branch Chief for the infrastructure Security Exercise Branch—which is part of the Infrastructure Security Division within CISA. I’ve been in emergency management for about 20 years, the last ten of which I have focused on exercises with the critical infrastructure and private sector communities. We conduct and plan exercises that include seminars, workshops, tabletops and full-scale exercises.

Our team looks to provide cyber security, physical security and convergence, threat vector exercises. For example, with convergence, if there is an active shooter at a baseball stadium and 10,000 people all call 911 at once, will that look a lot like a denial of service attack on your infrastructure? So we conduct those exercises for our partners across the country in both the private and public sector so we can further enhance the resilience of the nation.

CURTIS MARQUARDT JR.:
This interview is going in our C-Suite perspective column. Can you talk directly to C-suite folks at our nation’s utilities about why conducting exercises is so vital to the success of their respective organizations?

GARY BOYER:
The greatest benefit to regularly conducting exercises is that it provides the opportunity to make mistakes in blue sky, no-fault environments where you get the chance to do it over again and figure out the right way to do it. You get to also identify false assumptions that have maybe made it into your [security and resiliency] planning efforts.

Additionally, exercises also provide what I like to call an “aha moment.” In all my experiences, I don’t think that I have been a part of an exercise where someone hasn’t said, “oh, we need to change that” or “hey, that’s a great idea!” There’s always some nugget that someone is able to pull out and really utilize it to make impactful changes.

CURTIS MARQUARDT JR.:
So, turning the utility segment, what are the security challenges that you most often see them conducting exercises for? Or on the flip side, what are some things they should be looking at doing more exercises for?

GARY BOYER:
I think what we get the greatest number of requests for is cybersecurity-related exercises. Cyber threats are something that are occurring day in, day out to a number of our partners. So they’re looking for that opportunity to just walk through how we respond to it, how we handle the information flow or how we recover.

And we get requests for convergence exercises. For example, what happens if an adversary gets into the system? Are there real world impacts? How does that affect the ability for the utility providers to provide the services that people need in order to live their lives?

We also see a significant number of exercises come in regarding unmanned aerial system (UAS) threat vectors that we see across the country. I’d say the UAS threat is similar to cybersecurity in that everyone has concerns about it, from baseball stadiums to utilities. It’s a problem that so many are facing.

And we see requests come in for insider threat exercises. They want to know how people will respond to somebody who is within the organization—whether they are a disgruntled employee or maybe had a bad day—and decide to take it out on the organization. Or maybe they are radicalized in some way, shape or form and are looking to conduct some sort of cyber attack or create an active shooter incident.

Additionally, we see requests come in for the natural threats we are seeing. Stronger storms, longer heat waves, drought and other threat vectors that just weren’t a problem before.

There are so many things happening to conduct exercises on. While it may seem impossible to exercise for them all, I always say it’s important to just be conducting some kind of exercises, because how you respond to one incident has threads with how you respond to another. They’re all kind of interconnected to an extent.

CURTIS MARQUARDT JR.:
So, another utilities-related question for you. Utilities often work with outside contractors. So, there are instances where they have new folks coming and going through their facilities and operations quite frequently. How should that aspect of having a rotating door of new faces impact a utility’s strategy for conducting exercises?

GARY BOYER:
There is one issue that we recommend that people look at when they have outside contractors or outside vendors that are integral to their day-to-day operations. If something were to happen, how do we make sure that we have everybody accounted for and everybody is where they’re supposed to be? This is especially important when you have people that are coming on to a site that you or your system doesn’t necessarily keep track of—and you’re expecting somebody else’s system to grab hold of them.

As I mentioned previously, sometimes expectations don’t match up to what really happens. By talking through some of the aspects of an incident via an exercise, you’re able to identify those assumptions that can be fixed in blue skies.

CURTIS MARQUARDT JR.:
Earlier in this interview, you mentioned “aha moments” when you conduct exercises with organizations. The participants discovered some areas where there were deficiencies. What are some common security deficiency areas in utilities or other critical infrastructure organizations?

GARY BOYER:
So that’s a bit of a tough question because every organization is different. Everybody has different kinds of threat calculus that they’re working through for different hazards. So I wouldn’t say that there are things that are necessarily being missed or mistakes being made.

If I had to pick one, I’d say that organizations just need to conduct more training to be better prepared. One misconception about conducting exercises is that people avoid them because they think it has to be this large, all-encompassing event that has 70 to 100 people at a table or 600 people running around trying to handle an issue. In reality, an exercise can be as simple as 3 to 4 people at a table just talking through something and getting them to discover better actions if an incident occurs.

CURTIS MARQUARDT JR.:
So many C-suite folks who are reading this have the financial, legal and insurance aspects of the organization in mind when they are planning just about every aspect of their respective organizations. Can you talk to them about the values and ways that training and conducting exercises can improve upon those areas?

GARY BOYER:
If an incident occurs with an organization, it is going to have business impacts across the board. So we have to look at an incident risk at the angle of “what impact will this have on our ability to provide our services so that we have business continuity?” If an incident occurs, do you have a business continuity plan in place? Do you have enough on-site materials in order to continue delivering to customers?

There are a number of these different aspects that my team tries to discuss as part of every single one of our exercises, but also if we have the C-suite involved, we try to also tailor that to some of their considerations to get that 30,000-foot level input.

I would say that it is important to have your legal department there during exercises to talk about what sort of exposure an organization would have and what considerations they need to do in order to limit that exposure. Having human capital folks be part of the conversation is good because they can talk about precursor incident information such as how do we shut off access to systems that may be threatened by a disgruntled employee.

And, if you can have your insurers be a part of the exercise, that can sometimes be eye opening in terms of the assumptions you might be making about what they’re going to cover versus what they’re not.

CURTIS MARQUARDT JR.:
Can you provide a bit more information to our readers about the types of services and offerings CISA provides to utilities to help them conduct exercises?

GARY BOYER:
Yeah, absolutely. So, my team and I assist in developing and facilitating cybersecurity and physical security exercises. What we offer ranges from discussion-based exercises all the way to operational exercises that try to simulate as real of an incident as possible.

But this really only scratches the surface of the different offerings that CISA provides. It also has explosives awareness training, emergency communications, active shooter training, and cyber security capabilities. All of these are free resources that we offer. You can find it online at our website (CISA.gov) and we have dedicated professionals who are in every state. We also have our cyber security advisors, who are standing by in order to work with our partners to figure out how to make them more resilient. It really is a small army of dedicated professionals who are looking to help and assist the best ways that we can. We even offer downloadable exercise templates that our partners can download from the CISA.gov site. We make them as plug-and-play as humanly possible by putting information in so that folks can run these exercises at their own pace and capabilities.

To access some of the resources discussed in this article, visit the links below:

Security Advisors
https://www.cisa.gov/about/regions/security-advisors

CISA Tabletop Exercise Packages
https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages

Stakeholder Exercises
https://www.cisa.gov/resources-tools/services/stakeholder-exercises

Find CISA Help Locally
https://www.cisa.gov/audiences/find-help-locally